GAO official cites privacy risk in data-mining efforts

Federal agencies are falling short in protecting privacy when performing data mining, according to congressional testimony from a senior Government Accountability Office official.

Both data mining'in which large amounts of data from different sources are aggregated, searched and analyzed'and radio-frequency identification technologies are raising privacy concerns, Linda Koontz, director of information management issues for GAO, said in testimony before the House Judiciary Subcommittee on Commercial and Administrative Law yesterday.

Koontz added that although agencies that use data mining took many necessary steps, including issuing public notices, to protect privacy, none of them followed such key procedures as including in the notices the intended use of the information.

Furthermore, Privacy Impact Assessments performed on federal data-mining efforts are not meeting Office of Management and Budget guidance, Koontz said. Out of five federal data-mining efforts assessed, only three had conducted privacy impact assessments, and none had complied fully with OMB guidance, she said.

As for RFID, while common applications, such as inventory control, are acceptable, the potential use of RFID to track travel movements of people is likely to generate privacy concerns, Koontz said.

Using RFID, a person's movements can be monitored in real time by tracking devices that someone carries. The same RFID can be used to assemble profiles of people, based on their movements and transactions over a period of time, to ascertain information about their habits, Koontz said.

A third concern over RFID is potential mission creep, in which a narrowly defined operation inadvertently expands to a much broader'and potentially invasive'mission.

GAO has previously reported that federal officials are uncertain about how to apply privacy protections to the collection and use of personal information obtained from commercial sources, including information resellers.